Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1
Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THETRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 2
M-CEITA's Performance 5,000+ providers enrolled for M-CEITA support, impacting over 2 million patients 4,100+ providers are live on EHR 3,000+ have achieved Meaningful Use standards Latest survey shows 99% of M-CEITA customers are satisfied with services 3
M-CEITA Subsidized Services for Providers M CEITA Service Delivery Engagement Establish baseline performance, educate EHR Selection (if needed) Guidance for 2014 certified products Planning Develop transition plans Identify key process changes Implementation Establishing timelines for project mgmt. PCP (Medicare/caid) Specialists (Medicaid Only) Meaningful Use Support MU objectives Assist with registration & attestation 4
M-CEITA s Services Our services are highly subsidized for qualified physicians. These Health IT services include: Meaningful Use Support Security Risk Assessment Targeted Process Optimization (Lean) Attestation/Audit Preparation 5
Security Risk Assessment 6
Risk People want to get value from the world The world can be dangerous People want to be secure from dangers How do we get security in an insecure world? 7
HIPAA Security Rule Title II Administrative Simplification Security Rule Security Standards Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures Documentation Requirements 8
SRA as part of the HIPAA Security Rule 45 CFR 164.308(a)(1) Risk Assessment Risk Management Sanction Policy Information System Activity Review Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 9
SRA as a Meaningful Use requirement: Core Objective Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 10
HHS Office for Civil Rights (OCR) Final Guidance Scope must include all ephi in organization Data collection and methods must be documented Identify and document anticipated threats and vulnerabilities Assess current security measures in place Establish likelihood of threat occurrence Establish potential impact of threat occurrence Determine level of risk Document complete risk analysis Periodic review and update There is no one way to do an SRA, but every method must meet these objectives 11
Top 10 Most Common Privacy/Security Violations 10. Incomplete HIPAA authorization forms 9. Exclusion of a right to revoke clause 8. Failure to establish contract with business associates 7. Release of information after the authorization period has expired 6. Errors in paper file storage and disposal 5. Failure to release patient information in a timely manner 4. Computer hacking 3. The loss of backup disks or portable drives 2. Employees inappropriately accessing, using, or transmitting PHI 1. Storing unencrypted patient information on laptops How many of these does an organization have direct control over? 12
Why Complete a Security Risk Assessment? Consider three reasons to complete an SRA: Patient Safety Public Perception Compliance All good reasons, but which is the top priority for your practice? 13
Patient Safety First, do no harm. Medical records of as many as 67.7 million people have been breached since 2009 Average of 11.5 million identities stolen every year Average cost: $4,930 per household 14
Public Perception Patients want access to their information and they want it to be safe 81% of patients have concerns about privacy and security of EHR 60% of patients believe that EHR use will result in more information being lost or stolen Patients, like any consumer, vote with their feet 15
Risk is on the Rise HIPAA Breaches increased 138% from 2012 2013 Healthcare is now the leading US industry for data breaches This is despite increased awareness of the HIPAA Security Rule due to Meaningful Use programs Factors resulting in increased risk: Increased EHR adoption Legislation (Meaningful Use, ACA) Changing landscape (ACO, HIE) 16
Risk Defined Risk is the potential (likelihood) of a negative outcome (impact) toward an asset, due to a vulnerability being exploited by a threat that would reduce the value of the asset to the organization. (NIST SP 800-30) 17
Vulnerabilities and Controls For valuable assets, we need access to utilize the value Systems are designed to permit access, but all have vulnerabilities Controls reduce or eliminate unauthorized access 18
Threats and Threat Sources Question: Do the majority of healthcare data breaches stem from an internal or external source? Often there is overlap of Internal & External sources 19
What is at risk? Confidentiality Integrity Availability 20
Security Rule Requirements Security Components Example Variables Example Security Measures Physical Safeguards Facility structure Data storage center Computer hardware Building alarm system Locked doors Monitors shielded from view Administrative Safeguards Designated security officer Staff training and oversight Information security control SRA review Technical Safeguards Controls on access to EHR Audit log monitoring Secure electronic exchanges Policies and Procedures Written P&P addressing HIPAA Security requirements Documentation of security measures Staff training Monthly review of user activity Policy enforcement New hire background checks Secure passwords Data backup Virus scans Encryption Written protocols on safeguards Record retention Periodic policy and procedure review Organizational Requirements Breach notification and other policies Business Associate agreements Periodic Business Associate Agreement review and updates 21
Good Faith Effort Compliance isn t enough You can be compliant and still suffer a breach Risk can never be eliminated Reduce risk to a reasonable and appropriate level The expectation is for organizations to put forth a good faith effort 22
HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR random audit program set to begin in 2014 Provider compliance with Security, Privacy, and Breach Rules will be audited Most common Security deficiencies from 2012-2013 pilot audits: Lack of or incomplete SRA Unaware of Security Rule requirements 23
HIPAA Audit Program: Recent Updates Delayed indefinitely (for now) More on-site audits Fewer remote audits On-site audits to verify that policies and procedures are in place and followed! 24
SRA Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat Occurrence Step 5: Analyze Impact to Organization Step 6: Determine Level of Risk Step 7: Implement Security Controls Step 8: Ongoing Risk Management Program and Recurring SRA Review All Steps: Documentation! 25
SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST guidance (800-30 & 800-66) Work on-site with practice leaders Guide through every step of SRA process Deliver analysis and recommended plan of action to improve compliance 26
Risk Assessment Tool Sample Page 27
Sample Policy Breach Notification and Reporting Customizable to your practice! 28
Attesting to Meaningful Use Risk assessment Best performed during the 90-day reporting period CMS has allowed exceptions to this due to the CEHRT flexibility rule changes (2014 only) Must assess certified EHR technology Repeat for each reporting period Attest after you have conducted your Security Risk Assessment You do not have to correct deficiencies identified in the SRA before you attest to Meaningful Use 29
How frequently do I need to do an SRA? Recommended at least annually Significant changes to practice, technology, or environment Example: Internet Explorer and Windows XP Every year of Meaningful Use attestation 30
Conclusion Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing Practices are expected to take compliance seriously and put forth a good faith effort Required: Hard work, diligence, integrity An SRA is the first step of a continuous, comprehensive Risk Management Program that will benefit your patients and your practice 31
Resources NIST SP 800-30 NIST SP 800-39 NIST SP 800-66 ONC Guide to Privacy and Security of Health Information OCR Wall of Shame HHS Final Guidance on Risk Analysis HIPAA Administrative Simplification 32
Questions? M-CEITA Contact Info: www.mceita.org 888-MICH-EHR mceita@altarum.org 33